Page tree
Skip to end of metadata
Go to start of metadata

This section will introduce you to the Components tab in Kiuwan Insights. 

Contents

Components Inventory

Kiuwan Insight analyzes your application software, discovering all external dependencies, and builds a components inventory that lets you track any external piece of code that could be part of your application.

Go to Insights > Components to access the components inventory. 

Supported languages and resources

Kiuwan Insights uses the following resources to extract information on 3rd party dependencies.

Supported languagesSupported repositoriesSupported build systemsRepositories UsedDatabase Vulnerabilities UsedLicenses extract from
Go
  • GitHub
  • go.mod
  • Gopkg.lock
GitHub: https://github.com/
  • GitHub
Java
  • Maven
  • Gradle
  • Ant (*.xml files)
  • Maven (pom.xml files)
  • Gradle (*.gradle files)
  • *.jar, *.war, *.ear files

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • pom.xml
  • License file into jar file.
Javascript
  • Npm
  • Bower
  • Npm (package.json files)
  • Bower (bower.json files)
  • Yarn (package.json files)
Npm: https://www.npmjs.com/
  • NPM Rest services.
Kotlin
  • Maven
  • Gradle
  • Ant
  • Ant (*.xml files)
  • Maven (pom.xml files)
  • Gradle (*.gradle and *.gradle.kts files)

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  •  Maven services
.Net
  • Nuget
  • Nuget (*.csproj, project.json, global.json, *.vbproj files)
Nuget: https://www.nuget.org/
  • Nuget Rest services.
Php
  • Packagist
  • Composer (composer.json, composer.lock files)
Packagist: https://packagist.org/
Python
  • PyPI
  • GitHub
  • PyPI (setup.py files)
  • Requirements (txt file with declared dependencies)
PyPI: https://pypi.org/
  • PyPI Rest services
Ruby
  • RubyGems
  • Gemfile, Gemfile.lock and *.gemspec files
RubyGems: https://rubygems.org/
  • License and obsolescence pending
Scala
  • Maven

  • SBT (build.sbt)

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • pom.xml.
Swift
  • Cocoapods
  • GitHub
  • Podspec (*.podspec, Podfile.lock files)
  • Package (Package.swift files)

Repository Podspec in Github:

https://github.com/CocoaPods/Specs

  • podspec.json of the component.

The Components Inventory section shows the following information:

  1. Overall Information on Components – aggregated information on number and type of components
  2. List of Components – detailed listing of components
  3. Component detail – detailed information on selected component

 

 

Overall Information on Components

 

  • Number of components by language
  • Number of components by Security Risk level (High, Medium, Low and None)
  • Alerts :
    • Components with High-Security Risk
    • Components being used with different versions that might cause conflicts
    • Etc.

List of Components

Kiuwan Insights provides a full list of all those components being used by your application.

For every 3rd party component, you will have access to detailed component information such as:

NameDescription

Component name

Name of the component

Version

The version(s) in use
FilenameThe physical container (.jar, .dll, .js, etc)
LanguageThe programming language it is written in.
Obsolescence riskA component’s Obsolescence Risk is a measure of the risk level relative to:
  • the antiquity of your version respect to the latest version, and
  • how active is the component

Both values are combined in the Obsolescence Risk to provide a value of the risk associated with using outdated or “dead” components.

Please visit Obsolescence Risk for further information.

License risk

A component’s License Risk is a measure of the risk level relative to the legal implications of used components’ licenses.

Please visit Insights Licenses for further information.

Security risk

A component’s Security Risk is based on CVSS v2 Base Scores (Severities) of its vulnerabilities:

  • If the selected component has more than one vulnerability, Kiuwan will label the component with the highest severity value of all the vulnerabilities of the component.
  • If the selected component has only one vulnerability, the Severity of that vulnerability will be the Security Risk of the component.


Component details

By clicking on a component, you will have access to the following information:

  • The description of the component
  • The license of the component
  • Found vulnerabilities of the selected component:
    • CVE identifier, and link to NIST National Vulnerability Database desc page
    • CWE type, and link to MITRE Common Weakness Enumeration desc page
    • Vulnerability description
    • Severity (more on this at Security Risk )

Duplicated components

With Kiuwan Insights you can identify different versions of the same component used by your application. 

 The below example shows that the analyzed application is incorporating two different versions of ZKoss common library: 8.0.1 and 6.0.0

Most probably, this component duplication is not intended, and it’s something that would produce maintainability headaches when upgrading to a newer version of the library.

 

  • No labels